MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5a368e8e1fd840abbe075db0a30756ca6297af3c9d3a8f9e1998f57e1204cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5a368e8e1fd840abbe075db0a30756ca6297af3c9d3a8f9e1998f57e1204cbd
SHA3-384 hash: 9eac3127cbe048b0e44ccad1c41e8ae8c9d1a45491abe27c3131696644f168c1854134289cf49d3a5acb69f2c55db6e6
SHA1 hash: dfd25bfe60ce85dbd72cafa9986679bfc233ef24
MD5 hash: 315993f7d191ebd0615faf3822ca249e
humanhash: fillet-summer-fourteen-mockingbird
File name:DHL PO1001910.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:498'176 bytes
First seen:2020-12-09 10:44:41 UTC
Last seen:2020-12-09 13:02:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe19725c720b3564577348fd32bb4f52 (4 x AgentTesla)
ssdeep 12288:OrtmEMM7jH0Pv9wNRDzcRvimfenZpsvSCL:O7MeHMOvciqyZpqbL
Threatray 1'821 similar samples on MalwareBazaar
TLSH DEB4E01175E94F30E07F46324410A6620AAFFD3A8E659FDF67D83C4D7A781C0AA25B63
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.plantchem.gq
Sending IP: 173.82.16.89
From: DHL EXPRESS <info@plantchem.gq>
Reply-To: janechioma779@gmail.com
Subject: DHL PO1001910 Sample Arrive : Tracking No_SINI0068206497
Attachment: DHL PO1001910.gz (contains "DHL PO1001910.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL PO1001910.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-09 11:09:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cfaa2a09-8082-434b-b84b-7c64a56f20ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107438/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.6181.24193.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a window
Creating a file
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558906
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5a368e8e1fd840abbe075db0a30756ca6297af3c9d3a8f9e1998f57e1204cbd/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 02:57:07 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wrwr2hb7wcavo7aoxnqumdvnstcs6xtzhj2r6pbtghvpyjajs6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
36ad174dc1219e4abe9fabbc138e47e218e83741101f6848de3d05af6528948b
AgentTesla
48c481b14b6773bc4405945f9444cc6fc45fe5908c3ef24f5faf4b0815d27615
AgentTesla
5be73e98e79472632484157eb2f58f914dee24521fc6cb5f26c02709664a0413
AgentTesla
5c29a539dce239a74350459e71421bec8f0e925b218aeb8aed8e3067d2ae7f32
AgentTesla
67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
AgentTesla
7c49ac4366eb07c5e5a146356908ba9e2e7e1bb2630422821f93530f0e2ec2ed
AgentTesla
84afce79b516a2535b4f063e9dd9aef84aa6288bdc65c4fa5dbbba0bc06727ec
AgentTesla
c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25
AgentTesla
e2442b1de26c03cdd8343e1a8f0428a97c341181bc8289d92f2764931dcab744
AgentTesla
f104dda9f5fb6e0f5659843ce1698c2da434fe2cd9e986a4cd410c0473ca6cf6
AgentTesla
+ 1'811 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201209-n6dfyjc6kj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
f5a368e8e1fd840abbe075db0a30756ca6297af3c9d3a8f9e1998f57e1204cbd
MD5 hash:
315993f7d191ebd0615faf3822ca249e
SHA1 hash:
dfd25bfe60ce85dbd72cafa9986679bfc233ef24
Link:
https://www.unpac.me/results/3a16d024-f8b8-4120-9836-9cdafa2f8819/
SH256 hash:
e5a44ca5b29dd0d640b551d6530b5c4f79b6805ce8ec92471ff9c81c4c922984
MD5 hash:
f4278deb9743b9eb98db3a151b8ee5e6
SHA1 hash:
f334757717383e866a229e863a90be4e83d1dbee
Link:
https://www.unpac.me/results/3a16d024-f8b8-4120-9836-9cdafa2f8819/
SH256 hash:
f32e2672b6a956edc5dd373d889e0b4296110833964daf5220c927f343b8a326
MD5 hash:
de20076f639802ef344a76ffa1a7cca4
SHA1 hash:
fb1b23a2661406636608717fdb9a6ee60f398e63
Link:
https://www.unpac.me/results/3a16d024-f8b8-4120-9836-9cdafa2f8819/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5a368e8e1fd840abbe075db0a30756ca6297af3c9d3a8f9e1998f57e1204cbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 2e9dfb5cf40b1fe1ca5561c0b425d958b676f794a7683e472a57e42c25782119

AgentTesla

Executable exe f5a368e8e1fd840abbe075db0a30756ca6297af3c9d3a8f9e1998f57e1204cbd

(this sample)

  
Dropped by
MD5 0dfdc249b1052d92b735fba367f6f856
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107438/
  
Dropped by
SHA256 2e9dfb5cf40b1fe1ca5561c0b425d958b676f794a7683e472a57e42c25782119

Comments